feat: booted hetzner server

flake.lock

@@ -974,12 +974,12 @@
         "pre-commit-hooks": "pre-commit-hooks_2"
       },
       "locked": {
-        "lastModified": 1703206032,
-        "narHash": "sha256-hCuX9y1lUwa8Ck0jruebL2YLhwnDunav/uiIp9EvmNc=",
-        "owner": "oddlama",
-        "repo": "nixos-extra-modules",
-        "rev": "073a8ae3b34ed85619dd22bba0d4fb6b6e8e14d1",
-        "type": "github"
+        "dirtyRev": "c2b389938b166987c4a4fb867ccaa8ff530ddc71-dirty",
+        "dirtyShortRev": "c2b3899-dirty",
+        "lastModified": 1703274021,
+        "narHash": "sha256-r5y1DmRxlKF3rlJoIULeq1lGVGWbTZxmNGlQ0jW8ZjQ=",
+        "type": "git",
+        "url": "file:///home/patrick/repos/nix/nixos-extra-modules"
       },
       "original": {
         "owner": "oddlama",

hosts.toml

@@ -13,3 +13,7 @@ system = "x86_64-linux"
 [gojo]
 type = "nixos"
 system = "x86_64-linux"
+
+[maddy]
+type = "nixos"
+system = "x86_64-linux"

hosts/maddy/default.nix

@@ -0,0 +1,24 @@
+{
+  lib,
+  minimal,
+  ...
+}: {
+  imports =
+    [
+      ../../modules/config
+      ../../modules/optional/initrd-ssh.nix
+
+      ../../modules/hardware/zfs.nix
+
+      ./net.nix
+      ./fs.nix
+    ]
+    ++ lib.lists.optionals (!minimal) [
+    ];
+  services.xserver = {
+    layout = "de";
+    xkbVariant = "bone";
+  };
+  boot.mode = "bios";
+  boot.initrd.availableKernelModules = ["virtio_pci" "virtio_net" "virtio_scsi" "virtio_blk"];
+}

hosts/maddy/fs.nix

@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  disko.devices = {
+    disk = {
+      drive = {
+        type = "disk";
+        device = "/dev/disk/by-id/${config.secrets.secrets.local.disko.drive}";
+        content = with lib.disko.gpt; {
+          type = "table";
+          format = "gpt";
+          partitions = [
+            (partGrub "grub" "0%" "1MiB")
+            (partEfiBoot "bios" "1MiB" "512MiB")
+            (partLuksZfs "rpool" "rpool" "512MiB" "100%")
+            #(lib.attrsets.recursiveUpdate (partLuksZfs "rpool" "rpool" "17GiB" "100%") {content.extraFormatArgs = ["--pbkdf pbkdf2"];})
+          ];
+        };
+      };
+    };
+
+    zpool = with lib.disko.zfs; {
+      rpool = defaultZpoolOptions // {datasets = defaultZfsDatasets;};
+    };
+  };
+
+  fileSystems."/state".neededForBoot = true;
+  fileSystems."/persist".neededForBoot = true;
+  boot.initrd.luks.devices.enc-rpool.allowDiscards = true;
+  boot.loader.grub.devices = [
+    "/dev/disk/by-id/${config.secrets.secrets.local.disko.drive}"
+  ];
+}

hosts/maddy/net.nix

@@ -0,0 +1,33 @@
+{config, ...}: {
+  networking.hostId = config.secrets.secrets.local.networking.hostId;
+  networking.domain = config.secrets.secrets.global.domains.mail;
+
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks = {inherit (config.systemd.network.networks) "lan01";};
+  };
+
+  systemd.network.networks = {
+    "lan01" = let
+      icfg = config.secrets.secrets.local.networking.interfaces.lan01;
+    in {
+      address = [
+        icfg.hostCidrv4
+        icfg.hostCidrv6
+      ];
+      gateway = ["fe80::1"];
+      routes = [
+        {routeConfig = {Destination = "172.31.1.1";};}
+        {
+          routeConfig = {
+            Gateway = "172.31.1.1";
+            GatewayOnLink = true;
+          };
+        }
+      ];
+      matchConfig.MACAddress = icfg.mac;
+      networkConfig.IPv6PrivacyExtensions = "yes";
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+}

hosts/maddy/secrets/generated/initrd_host_ed25519_key.age

@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> X25519 ep9dccBXMw0tEheuaIHeWMvhUKwtBFm0+mZJ5gCYxn0
+4ZVc8jn+4EsztT9drb4aUNCphqcwmAGGlFy3EfAaFJE
+-> piv-p256 XTQkUA AjvE9Foo//U4E/1d/5KasrCji7H7eCmJEsaql16s27Ou
+OWf66Ql7f2FWqzzcfHzUJ9fA5a0rhvQEQ9xrEAbATpw
+-> piv-p256 ZFgiIw AvU0lAitU4jUegJH3s2btabyRtN38JbxMlgnOqZwvYyb
++655NICGD8ARcYPx+fCrh0aE5ZG0edMpoCcPDPQ8pvk
+-> piv-p256 ZFgiIw Aj4PUKsRiW04mmhOXPRQbr0myd//IeznPebXA4Oa1eRI
+CaRtlEkYAKOc8+t2d40f+GpzXY8SXpDEPQevhk8xb8s
+-> pK&V%|-grease BFxJOSz B9%c_+
+P1vAU7VI4VydjqLAjtDWqjKOP1k6iHjYsCgly21IvQsbwt4rwbUzodkpPtB6P7xt
+rcsi6e+J8Q9nc4lPRjsYyN/RiE1HIpr2MW+bBxljiyK/uC+1oxjZeKAKYTF/
+--- Sp0YG5pL58MD8xQ3XuIeBSuOQQy3+jJwBmhwNLWxbxM
+IYÅÜlŠm«1´*mW«OY+’#°5ÍB'Œqü¼]4N"2>¡é‡¡ $žH?‡ï.]r¢º`Y¹Ýã{]‚zA…¾Ó§9²L¦è¾F¢†§Ù'E'í-~›Ƈx@=•ÉÑGÜ—a8Æ*UT&¡Gè·šòîŒS\Ž¯ä•!P.üð˜p}ádM¢a.G‹:àïÀgüôÑôCê<43>S’[,öB¦Bå	ë',ÛšóÊ9šÀv€JND%ƒìŠÑ…·£Ûûæ@Þæ_–¬^uÆU¯}91ÿ8ãITÿQÈÏ´|“‡M<ƒïuà®]ñMç¨Ø$<24>Xœ­?öo‡é ÿtÛ,Hñ³Y<C2B3>zÖÓ¥ÑäŸæ_OH^•³‹‰·îÆ^«œ!IѲò‡}rIôÂ$ý²Wgð'ÙìE¯è'ïâRD!<21>OA™­ZY	.Z ÂH6™/ï’õyJCV2Í¡0‰LÉñÒb©&êDK†÷j$ñ<16>ìuõA<C3B5>.ê8=èö&#n¹J%€ŠÂ>ß΃Ý[‘8:~<7E>ŒµÉ—È]”f¦€š_[¨¯v
VoÖ–t6hE

lib/disko.nix

@@ -4,6 +4,11 @@ _inputs: _self: super: {
     // {
       disko = {
         gpt = {
+          partGrub = name: start: end: {
+            inherit name start end;
+            part-type = "primary";
+            flags = ["bios_grub"];
+          };
           partEfiBoot = name: start: end: {
             inherit name start end;
             fs-type = "fat32";

modules/config/default.nix

@@ -1,7 +1,10 @@
-{inputs, ...}: {
+{
+  inputs,
+  lib,
+  ...
+}: {
   imports = [
     ./boot.nix
-    ./efi.nix
     ./home-manager.nix
     ./inputrc.nix
     ./issue.nix
@@ -32,4 +35,5 @@
     inputs.nixos-extra-modules.nixosModules.default
   ];
   age.identityPaths = ["/state/etc/ssh/ssh_host_ed25519_key"];
+  boot.mode = lib.mkDefault "efi";
 }

modules/config/efi.nix

@@ -1,7 +0,0 @@
-{
-  # Use the systemd-boot EFI boot loader.
-  boot.loader = {
-    systemd-boot.enable = true;
-    efi.canTouchEfiVariables = true;
-  };
-}

modules/optional/initrd-ssh.nix

@@ -1,11 +1,8 @@
 {
   config,
   pkgs,
-  lib,
-  minimal,
   ...
-}:
-lib.optionalAttrs (!minimal) {
+}: {
   age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
 
   boot.initrd.network.enable = true;
@@ -28,10 +25,12 @@ lib.optionalAttrs (!minimal) {
   # for the first time, and the secrets were rekeyed for the the new host identity.
   system.activationScripts.agenixEnsureInitrdHostkey = {
     text = ''
-      [[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
-        || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
+      if [[ ! -e ${config.age.secrets.initrd_host_ed25519_key.path} ]]; then
+        mkdir -p "$(dirname "${config.age.secrets.initrd_host_ed25519_key.path}")"
+        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f "${config.age.secrets.initrd_host_ed25519_key.path}"
+      fi
     '';
-    deps = ["agenixInstall"];
+    deps = ["agenixInstall" "users"];
   };
   system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
 }